## Vulnerable Application This module exploits the .NET deserialization vulnerability within the RadAsyncUpload (RAU) component of Telerik UI ASP.NET AJAX that is identified as CVE-2019-18935. In order to do so the module must upload a mixed mode .NET assembly DLL which is then loaded through the deserialization flaw. Uploading the file requires knowledge of the cryptographic keys used by RAU. The default values used by this module are related to CVE-2017-11317, which once patched randomizes these keys. It is also necessary to know the version of Telerik UI ASP.NET that is running. This version number is in the format YYYY.#(.###)? where YYYY is the year of the release (e.g. '2020.3.915'). ### Version Reference | Version | CVE-2017-11317 | CVE-2019-18938 | | ----------------------- | ----------------------------------------------- | --------------------------------- | | < 2011.1.315 | Unknown | Unknown | | 2011.1.315 - 2017.2.621 | Vulnerable (unless patched and RAU is disabled) | Vulnerable | | 2017.2.711 - 2019.3.917 | Configuration-dependent | Vulnerable | | 2019.3.1023 | Configuration-dependent | Configuration-dependent (opt-in) | | > 2020.1.114 | Configuration-dependent | Configuration-dependent (default) | * [https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload][1] * [https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization][2] ### Configuring Telerik UI ASP.NET AJAX Starting in version 2020.1.114, the application must be configured to be vulnerable by making changes to its XML configuration file (`web.config`). For the live demos included within the Telerik UI trial version, this file is located at `C:\Program Files (x86)\Progress\Telerik UI for ASP.NET AJAX R3 2020\Live Demos\web.config`. Within this configuration file is the `appSettings` node. To make the instance vulnerable, add the following within this section and restart the application if necessary: ``` <appSettings> <!-- Configured to replicate CVE-2017-11317 --> <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="PrivateKeyForEncryptionOfRadAsyncUploadConfiguration"/> <add key="Telerik.Upload.ConfigurationHashKey" value="PrivateKeyForHashOfUploadConfiguration"/> <!-- Configured to replicate CVE-2019-18935 --> <add key="Telerik.Upload.AllowedCustomMetaDataTypes" value="System.Configuration.Install.AssemblyInstaller"/> <!-- ... include the remaining configuration options --> ``` ## Verification Steps Exploitation of this vulnerability requires knowledge of two things, the crypto keys (see the details for the `RAU_ENCRYPTION_KEY` and `RAU_SIGNING_KEY` options) and the Telerik RAU ASP.NET AJAX version (see the details for the `VERSION` option). 1. Start msfconsole 1. Do: `use exploit/windows/http/telerik_rau_deserialization ` 1. Set the `RHOSTS` and `PAYLOAD` options 1. Set any additional options as required by the previously selected payload 1. Optionally set the `VHOST`, `RPORT` and `SSL` options as appropriate 1. Set the `VERSION` option if it is known 1. Run the exploit The DLL file which is written to disk and executed via the deserialization flaw will remain loaded and thus can not be cleaned up automatically by Metasploit. ## Options ### RAU_ENCRYPTION_KEY The encryption key for the RAU configuration data. This setting can be changed [starting in version 2017.1.118][1.1] by specifying the `Telerik.AsyncUpload.ConfigurationEncryptionKey` key within the `appSettings` section of the applications `web.config` XML file. The default value per CVE-2017-11317 is `PrivateKeyForEncryptionOfRadAsyncUploadConfiguration`. ### RAU_SIGNING_KEY The signing key for the RAU configuration data. This setting can be changed [starting in version 2017.1.118][1.1] by specifying the `Telerik.Upload.ConfigurationHashKey` key within the `appSettings` section of the applications `web.config` XML file. The default value per CVE-2017-11317 is `PrivateKeyForHashOfUploadConfiguration`. Versions older than 2017.1.118 do not utilize signing. ### VERSION The Telerik UI ASP.NET AJAX version. If this value is not specified, the module will attempt to enumerate it through a series of requests using all known version numbers. This enumeration will fail if the correct crypto keys are not set. Alternatively, the version information can sometimes be identified without authentication. > If the application using RadAsyncUpload does not require authentication, then you can usually find the UI version > buried somewhere in the HTML source of the application's home page. The location of the version string isn't > consistent, though, so the best method of locating it is to use Burp to search for the regular expression > `20[0-9]{2}(\.[0-9]*)+` (and make sure you check the "Regex" box). You can also accomplish this with cURL: > > `curl -skL | grep -oE '20[0-9]{2}(\.[0-9]*)+'` > > If that doesn't work, you can alternatively search for the string `